This requires a few tweaks before it will work as advertised. I had a variable set in a distro.conf that interfered. I'll send out a v2 in a bit.
- Philip On 11/13/2013 12:22 AM, Philip Tricca wrote: > This RFC is a significant departure from the way the policy packages are > currently set up. The noteworthy differences are: > 1) the POLICY_TYPE variable can be set as configuration outside the policy > recipe > 2) a single refpolicy recipe can be used to build all 3 policy types > 3) DEFAULT_POLICY from selinux-config can be set outside the config recipe > 4) refpolicy depends on the config and sets the DEFAULT_POLICY accordingly > > This approach was taken to allow the use of a policy type beyond MLS. I've > left the other refpolicy-* recipes in tact but if this approach is acceptable > they could be removed if we're willing to accept the limitation that only > one policy may be installed on a given image. If this limitation isn't \ > acceptable then they can be left as is. > > Comments and input would be appreciated. > > Cheers, > - Philip > > Signed-off-by: Philip Tricca <fl...@twobit.us> > --- > .../packagegroups/packagegroup-selinux-minimal.bb | 3 +-- > recipes-security/refpolicy/refpolicy_2.20130424.bb | 19 > +++++++++++++++++++ > recipes-security/selinux/selinux-config_0.1.bb | 2 +- > 3 files changed, 21 insertions(+), 3 deletions(-) > create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb > > diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb > b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb > index 072320d..af29da1 100644 > --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb > +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb > @@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1" > RDEPENDS_${PN} = "\ > policycoreutils-semodule \ > policycoreutils-sestatus \ > - selinux-config \ > - refpolicy-mls \ > + refpolicy \ > " > diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb > b/recipes-security/refpolicy/refpolicy_2.20130424.bb > new file mode 100644 > index 0000000..c00aca3 > --- /dev/null > +++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb > @@ -0,0 +1,19 @@ > +SUMMARY = "The SELinux reference policy." > +DESCRIPTION = "\ > +This is the reference policy for the SELinux mandatory access control \ > +system. There are 3 supported policy types: standard, MCS and MLS. The \ > +standard policy is the most simple of the three providing the standard \ > +type enforcement policy. The MCS policy adds an additional element to the \ > +SELinux label called a category. Finally the MLS variant allows giving data \ > +labels such as \"Top Secret\" and preventing such data from leaking to \ > +processes or files with lower classification. \ > +" > + > +PR = "r0" > + > +POLICY_TYPE ??= "mls" > +DEFAULT_POLICY = "${POLICY_TYPE}" > + > +RDEPENDS_${PN} = "selinux-config" > + > +include refpolicy_${PV}.inc > diff --git a/recipes-security/selinux/selinux-config_0.1.bb > b/recipes-security/selinux/selinux-config_0.1.bb > index 27d9995..293218e 100644 > --- a/recipes-security/selinux/selinux-config_0.1.bb > +++ b/recipes-security/selinux/selinux-config_0.1.bb > @@ -1,4 +1,4 @@ > -DEFAULT_POLICY = "mls" > +DEFAULT_POLICY ??= "mls" > > SUMMARY = "SELinux configuration" > DESCRIPTION = "\ > _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto